The Notice is interesting for several reasons. It appears to be the first dealing with “mass marketing” email campaigns where the offending business has taken formal advice and still fallen foul of the law. It also contains a helpful summary of some of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations (PECR). We often see that a consideration of PECR is the “missing piece of the jigsaw” – businesses are either not aware of it, or have taken advice from service providers who are not aware of it, leading to risks that the policy is incomplete, or inaccurate.
The ICO accepted that Grove had adopted a “generally positive and pro-active approach” to data protection. It had worked with a “recognised specialist data protection consultancy” to establish parameters around its email marketing strategy and had also sought advice from an “independent data protection solicitor”. However, the advice it received turned out to be “misleading” (the ICO’s words, not mine). In other words, Grove relied on external providers to validate its approach, but that the advice was defective. Notwithstanding its efforts, the ICO found that it did not obtain valid consent from the individuals to whom it sent the offending emails.
On the one hand, one might argue that businesses should have reference to regulatory guidance as well as professional advice (relying on the latter to interpret and apply the former). On the other, it is important to recognise that for some businesses, reliance on advice is fundamental to being able to shoulder the increasing number of regulatory obligations and time pressures that they face.
Whatever your viewpoint, it is fair to say that there has been a raft of incorrect advice/guidance issued by so-called “GDPR consultants” or “experts”, many of which have surfaced in the past few years. We have not been alone in counselling caution as to outright reliance on such outfits, but had similarly not anticipated that reliance on incomplete advice would reach regulatory sanction so “early” in the legislation’s life.
The ICO made a number of very pertinent points in the Notice:
1. Whilst there was no deliberate breach of PECR, Grove knew or ought reasonably to have known that there was a risk of contravention.
The ICO noted that it has issued detailed, publicly available guidance on marketing requirements under data protection legislation and PECR.
The issue of “spam” marketing emails has also been highly visible in the media in the past few years and so businesses are expected to have had some notice of the problem.
As an entity registered with the ICO, the ICO expected Grove to be aware of its obligations under PECR.
A simple review of the customer “journey” would have highlighted the issues surrounding consent that the ICO determined had not been properly addressed by Grove.
2. Consent would not be valid if individuals are asked to consent to marketing communications from “similar organisations”, “partners”, “selected third parties” or other similarly generic descriptions. The transparency principle under GDPR (and indeed our local, equivalent legislation) requires that businesses are open as to what is being done with data.
3. The message around consent being “informed” and “freely given” has been reinforced in the recent Opinion of Advocate General Szpunar in the Planet 49 case, currently being considered by the European Court of Justice (ECJ). In that instance “pre-ticked” boxes have been confirmed as failing to meet the consent requirements of GDPR. The Opinion is not binding upon the ECJ, but given that it follows the received wisdom and EDPB guidance on these issues, it is anticipated that the ECJ may well agree with its content.
4. The seriousness of a complaint is not to be measured by reference to the number of complaints received, but (in this instance) by the number of offending messages sent.
The level of fine (£40,000) is lower than some other recent instances of “mass marketing” calls or messages (see for example DM Design Bedrooms Ltd (£60,000 fine, 1.6m calls) and Tax Return Ltd (£200,000 fine, 14.8m messages). This perhaps reflects the fact that Grove had taken steps to try and effect a compliant policy. Nevertheless, the ICO noted the availability of detailed guidance, a review of which may well have avoided some of the problems the ICO identified.
Whilst the Notice is a decision of the ICO in the UK, it is likely that a similar approach would be taken locally if similar breaches were discovered. It is also worth noting that these rules apply to marketing to individuals; different rules apply to B2B marketing.
The Notice sends out a salutary warning to businesses to make sure that a detailed consideration of data protection matters is undertaken in relation to marketing activity (and indeed privacy matters more generally). Detailed guidance is available from the various supervisory authorities, though ultimately, interpreting it may still require some professional legal advice, taking into account the practical application “on the ground”. Looking at these issues in isolation, and without a detailed understanding of the operational impact, is risking sanction, despite your best efforts.